RE: [PATCH 2/2] x86/tdx: Accept hotplugged memory before online

Next message: Wenliang Yan: "[PATCH v7 5/8] hwmon: (ina3221) Introduce power attribute and alert characteristics"
Previous message: Wenliang Yan: "[PATCH v7 8/8] hwmon: (ina3221) Modify write/read functions for 'in' and 'curr' attribute"
In reply to: Edgecombe, Rick P: "Re: [PATCH 2/2] x86/tdx: Accept hotplugged memory before online"
Next in thread: Edgecombe, Rick P: "Re: [PATCH 2/2] x86/tdx: Accept hotplugged memory before online"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Reshetova, Elena

Date: Thu Apr 02 2026 - 04:22:16 EST

> On Mon, 2026-03-30 at 11:10 -0400, Pratik R. Sampat wrote:
> > SNP likely has an analogous issue too.
> > Failing to switch states on remove will cause that RMP entry to
> > remain validated. A malicious hypervisor could then remap this GPA to
> > another HPA which would put this in the Guest-Invalid state. On re-
> > hotplug if we ignore errors suggested by Patch 1 (in our case that'd
> > be PVALIDATE_FAIL_NOUPDATE error likely), we could have two RMP
> > entries for the same GPA and both being validated. This is dangerous
> > because hypervisor could swap these at will.
>
> Oh, I was just wondering if we could just zero the page on accept
> failure for the case of already accepted. Handle the issue internally
> and actually go back to something like patch 1. Will it work for SNP?

I don't know about SNP, but if you are proposing to zero the page on
double acceptance, this is not great from security pov. It creates a
predictable behaviour primitive for the host to zero any data inside
the confidential guest and it can be misused (think of zeroing out a
page containing a cryptographic key).